Agenda. New ISO/IEC developments in Process Assessment standards for IT Services. Antonio Coletta DNV IT Global Services

Transcription

1 New ISO/IEC developments in Assessment standards for IT Services Antonio Coletta DNV IT Global Services Head of Italian delegation to ISO/IEC JTC1 SC7 SPICE Days June 2008 Prague, Czech Republic Agenda Overview of SC7 and its standards History and architecture of ISO/IEC Assessment Current developments in the process assessment standard Brief introduction to ITIL and ISO/IEC IT Service ISO/IEC applied to IT Service processes Future developments Slide 2 1

2 A simple true/false test for you don t be shy! SPICE is an International Standard ISO/IEC is about software processes Models to be used with ISO/IEC are approved by ISO/IEC True True True False False False Slide 3 SPICE is not an International Standard The standard for process assessment is named ISO/IEC It is a multipart standard developed by the technical subcommittee ISO/IEC JTC1 SC7 (System & Software Engineering) SPICE (Software Improvement and Capability determination) is the acronym of a project established with a mandate from JTC1/SC7 to : - assist the standardization project in its preparatory stage to develop initial working drafts (completed in 1995); - undertake user trials in order to gain early experience data which formed the basis for revision of the published Technical Report prior to review as a full International Standard; - create market awareness and take-up of the evolving standard. The SPICE project no longer exists the task of creating market awareness has been taken on by the SPICE User Group since 2003 Slide 4 2

3 ISO/IEC JTC1 Information Technology Information Technology System & Software Engineering Information Security Slide 5 ISO/IEC JTC1 SC7 System & Software Engineering Organizational chart SC7 System & Software Engineering SWG1 Business Planning Group SWG 5 Standards Group WG 2 Systems & Software Documentation WG 4 Tools and Environment WG 6 Software Product Measurement and Evaluation WG 10 Assessment WG 7 Life Cycle WG19 Techniques for Specifying IT Systems WG 20 Software Engineering Body of Knowledge WG 21 Software Asset WG 22 Vocabulary WG24 SLC Profiles and Guidelines for VSE WG 23 Systems Quality WG 25 IT Service management WG 26 S/W Testing WG 42 Architecture WG 1A IT Governance JWG ISO/TC 54 CIF Usability Slide 6 3

4 Overview of the SC 7 collection of standards Foundation Vocabulary Software Body of Knowledge (SWEBOK) SC7 s legacy Governance Documentation 9001 Quality System Gov. Study Group TBD Architecture & Requirements Engineering Software Engineering Implementation Systems Engineering Risk & Integrity Asset Life Cycle Life Cycle Documentation Software maintenance Project Assessment IT Service System Measurement Product Characteristics Product packaging Software Quality Product Evaluation Software Functional size measurement Software Quality SQuaRe 250xx Series Tools, Methods SC7 Legacy Standards Tools and environment 10746, , , , , Specifications CDIF Modeling Slide 7 Software Life Cycle es from ISO/IEC PRIMARY PROCESSES Acquisition Supply Operation Development Maintenance ORGANISATIONAL PROCESSES Improvement SUPPORTING PROCESSES Documentation Configuration Q u a l i t y M a n a g e m. Quality Assurance Verification Validation Joint Review Audit Problem Resolution Infrastructure Training 1995 Conformity standard Specifies mandatory requirements to be met on order to declare conformity Slide 8 4

5 Example of conformity requirements Activity within Development process Slide 9 The ISO/IEC Technical Report 1998 Part 1 Concepts and introductory guide Part 9 Vocabulary Part 7 Guide for use in process improvement Part 8 Guide for use in determining supplier process capability Part 6 Guide to competency of assessors Normative Part 3 Conducting assessments Part 2 A reference model for processes and process capability Part 4 Guide to conducting assessments Part 5 An assessment model and indicator guidance ISO/IEC TR 15504: 1998 Software Assessment Slide 10 5

6 The ISO/IEC TR Assessment Framework 1998 The new standard introduces a 2-dimensional model for processes and process capability - Dimension - Categories - es (P1,, Pn) - Capability Dimension - Capability Levels (CL1,,, CL5) - Attributes (PA1.1, PA2.2.. PA5.5) Optimizing CL5 Predictable CL4 Established CL3 Managed CL2 Performed CL1 Incomplete CL0 MAN.1 ENG.2...SUP.3 Each process receives a capability level rating This is referred to as a Continuous Model Slide 11 ISO/IEC TR Assessment Focus on process objectives (what to achieve not how) and process management (measured as process capability) Capability Level 1 achievement means (somehow) achieving purpose and outcomes From level 2 to level 5 increasing effectiveness of process management Recognition of management features (capability levels and attributes) common to all process Embedded process reference model (TR part 2) with definition of Purpose and Outcomes Strongly related to ISO/IEC processes but with some differences ISO/IEC is a mixture of levels for the different processes Exemplar Assessment Model (TR part 5) provided indicators to determine level of capability during assessment Slide 12 6

7 Summary of the Levels and Attributes Optimizing The process is continuously improved to meet relevant current and projected business goals Predictable The process is enacted consistently within defined limits Established A defined process is used based on a standard process. Level 3 PA.3.1 PA.3.2 Level 4 PA.4.1 PA.4.2 Established Level 5 PA.5.1 PA.5.2 Predictable Definition Deployment Optimizing Measurement Control Innovation Optimization Level 1 PA.1.1 Level 2 PA.2.1 PA.2.2 Performed Managed Performance Performance Work Product Managed The process is managed and work products are established, controlled and maintained. Performed The process is implemented and achieves its process purpose Level 0 Incomplete Incomplete The process is not implemented or fails to achieve its purpose Slide 13 Capability Levels PA 5.1 Innovation PA 5.2 Continuous Optimization PA 4.1 Measurement PA 4.2 Control PA 3.1 Definition PA 3.2 Deployment PA 2.1 Performance PA 2.2 Work Products Level 1 : Performed Purpose Outcome Level 2: Managed Level 3: Established Level 4: Predictable Level 5: Optimizing Slide 14 7

8 Common Levels Common management levels System Testing Configuration Different processes Requirements Analysis Slide 15 Issues raised from trials 2001 Standard users confused about different models for software lifecycle processes Lack of harmonization between and Decision to revise and publish as IS after 3 years of trials of TR Agreement reached between WG 7 (12207) and WG 10 (15504) on harmonization approach: - Amendments (AMD1 and AMD2) to to include a Reference Model (PRM) with purpose and outcomes suitable for use with to remove embedded PRM and define requirements for external PRMs and PAMs to provide an exemplar Assessment Model (PAM) based on PRM (AMD1) Debate on who should define/approve PRMs/PAMs: - Only ISO/IEC (eg AMD) vs open market approach (eg. Automotive SPICE) - Decision - OK for open market but need to demonstrate and document consensus by a user community Slide 16 8

9 Reference Model AMD PRIMARY PROCESSES Acquisition Acquisition Preparation Supplier selection Supplier monitoring Customer acceptance Supply Operation Operational Use Customer support Maintenance Development Requirements elicitation System Requirements Analysis System Architecture Design Software Requirements Analysis Software Design Software Construction (Code and Unit Test) Software Integration Software Testing System Integration System Testing Software Installation SUPPORTING PROCESSES Documentation Configuration Manag. Quality Assurance Verification Validation Joint Review Audit Problem Resolution Usability Product Evaluation ORGANISATIONAL PROCESSES Organizational Alignment Organization Project Quality Risk Measurement Infrastructure Asset Improvement establishment assessment improvement Human Resource Human Resource Training Knowledge Reuse Domain Engineering Slide 17 ISO/IEC International Standard 2003 ISO/IEC Requirements for PRM determine suitability of Measurement Framework Requirements for PAM Assessment Model determine applicability of PAM Reference Model AMD1 Linked PRM and PAM for Software Life Cycle es Slide 18 9

10 Structure of ISO/IEC (IS) Guidance on Performing Assessments Guidance on Using Assessment Results Concepts and Vocabulary Performing an Assessment (normative) 2003 Compliant Reference Model (AMD1 & 2 ISO/IEC 12207) (2006) An Exemplar Assessment Model 2006 Slide 19 Automotive SPICE - Reference Model Acquisition Contract agreement Supplier monitoring Technical Requirements Legal and Administrative Req.s Project Requirements Request for proposals Supplier Qualification Supply Supplier tendering Product release Project management Risk management Measurement PRIMARY Engineering Requirements elicitation System requirements analysis System architectural design Software requirements analysis Software design Software construction Software integration test Software testing System integration test System testing ORGANISATIONAL Improvement improvement SUPPORTING Support Quality assurance Verification Joint review Documentation Configuration Problem Resolution management Change Request management Reuse Reuse program management Downloadable from http Automotive SPICE Assessment Model (PAM) RELEASE v2.3-5 May 2007 Automotive SPICE Reference Model (PRM) RELEASE v4.3-5 May 2007 Slide 20 10

11 ISO/IEC System Life Cycle es Agreement Project Technical es es es Acquisition (Clause 6.1.1) Supply (Clause 6.1.2) Project-Enabling es Life Cycle Model (Clause 6.2.1) Infrastructure (Clause 6.2.2) Project Portfolio (Clause 6.2.3) Human Resource (Clause 6.2.4) Quality (Clause 6.2.5) Project Planning (Clause 6.3.1) Project Assessment and Control (Clause 6.3.2) Decision (Clause 6.3.3) Risk (Clause 6.3.4) Configuration (Clause 6.3.5) Information (Clause 6.3.6) Measurement (Clause 6.3.7) Stakeholder Requirements Definition (Clause 6.4.1) Requirements Analysis (Clause 6.4.2) Architectural Design (Clause 6.4.3) Implementation (Clause 6.4.4) Integration (Clause 6.4.5) Verification (Clause 6.4.6) Transition (Clause 6.4.7) Validation (Clause 6.4.8) Operation (Clause 6.4.9) Maintenance (Clause ) Disposal (Clause ) Slide 21 Example process from ISO/IEC Slide 22 11

12 ISO/IEC applied on ISO/IEC Requirements for PRM Measurement Framework Requirements for PAM Assessment Model e.g PAM Reference Model e.g PRM Linked PRM and PAM for System Life Cycle es Slide 23 Structure of ISO/IEC (in 2008) Guidance on Performing Assessments Guidance on Using Assessment Results Concepts and Vocabulary Performing an Assessment (normative) Compliant Reference Model (in ISO/IEC 12207) An Exemplar Assessment Model Compliant Reference Model (in ISO/IEC 15288) An Exemplar System Lifecycle Assessment Model 2008? Slide 24 12

13 Structure of harmonized ISO/IEC and PRM Reference Model purpose - The purpose of the process is stated in a paragraph that describes at a high level the overall goal for performing the process Outcomes - An outcome is an observable result of the successful achievement of the purpose of the process. Conformity Requirements Activities - The Activities attribute is used to provide a structural decomposition of a process for implementation purposes Slide 25 Sector / Domain Based Reference and Assessment Models Component Based Development OOSPICE SPACE AUTOMOTIVE SPICE 4 SPACE European Space Agency AUTOMOTIVE SPICE Procurement Forum / SPICE UG BANKING MEDICAL DEVICE ENTERPRISE New New New BANKING SPICE CRP Henri Tudor / SPICE UG MEDISPICE SPICE User Group ENTERPRISE SPICE Federal Aviation Administration (FAA) SPICE UG Slide 26 13

14 Recent developments in ISO/IEC Organizational Maturity..et cetera Assessment Models in CMMI Area Capability Continuous Model ML5 ML4 ML3 ML2 ML 1 Staged Model PA PA PA...for a single process or area...for an established set of process areas across an organization Slide 28 14

15 Organizational Maturity in ISO/IEC Guidance on Performing Assessments Guidance on Using Assessment Results Concepts and Vocabulary Performing an Assessment (normative) Organizational Maturity (normative) Compliant Reference Model (in ISO/IEC 12207) Compliant Reference Model (in ISO/IEC 15288) An Exemplar Assessment Model An Exemplar System Lifecycle Assessment Model Organizational maturity derived from capability profiles Same approach as Part 2 no embedded OMM (Organizational Maturity Model) requirements for external models Slide 29 Assessment of Organizational Maturity Part 7 Assessment of Organizational Maturity Part 2 Performing an Assessment Organizational Maturity Model Model Scope Select, Structure Assessment Model (s) Reference Model (s) Basic Set (minimum, additional, optional) Extended Sets (minimum, additional, optional) Measurement Framework Measurement Framework Capability Levels Attributes Maturity Levels Assessment of Organizational Maturity Assessment of Capability NEW CONCEPTS Maturity Level Ratings Set of Profiles Set of Capability Levels -- Organizational Maturity -- Class of Assessment -- Type of Assessment (body) Slide 30 15

16 Deriving Maturity Levels from Capability Levels At least one basic process required Optional 5 ML5 MLn : Maturity Level n Capability Level 4 ML4 3 ML3 2 ML2 1 ML1 0 1A 1B 1C 2D 2E 2F 3D 3E 3F 4D 4E 4F 5D 5E 5F Categories Basic set 1A : Level 1 Maturity minimum set of processes 1B : Level 1 Maturity Additional processes that are required 1C : Level 1 Maturity Additional processes that are optional es Staged Model Extended sets nd : Level n Maturity minimum set of processes ne : Level n Maturity Additional processes that are required nf : Level n Maturity Additional processes that are optional Slide 31 Brief overview of IT Service models & standards From ITIL to ISO/IEC

17 ITIL Brief History ITIL = Information Technology Infrastructure Library UK Government initiative launched in 1989 A set of publications documenting best practices in IT Service itsmf Service Forum - International organization formed in Supports the development and promotes the use of ITIL - 46 national chapters - Over member companies and individual members Qualification schema for personnel managed by accredited training organizations and examination bodies Slide 33 The ITIL V.2 Books 1. Planning to Implement Service 2. Service Support 3. Service Delivery Service es 4. The Business Perspective 5. Application management 6. ICT Infrastructure 7. Security 8. (Software Asset ) Slide 34 17

18 ITIL V Slide 35 ITIL V.3 released in 2007 Slide 36 18

19 From BS to ISO/IEC itsmf requested BSI to develop a standard based on ITIL BS was first published in 2000 as a specification BS revised in 2002 as a Service System with two parts: - BS :2002 Specification for Service. - BS :2003 Code of practice for Service Well accepted even outside UK - BSI requested ISO to fast track BS15000 into an International Standard BS becomes ISO/IEC (2005) - standard assigned to SC7 WG25 Certification schema for ISO/IEC managed by itsmf as an accreditation body ( Fast tracked version maintained same structure of BS with only minor changes: - ISO/IEC :2005 Information technology - Service management - Part 1: Specification - ISO/IEC :2005 Information Technology - Service management - Part 2: Code of practice Slide 37 ISO/IEC Structure & Content System Continual Improvement Transition new/changed services Responsibility Documentation Requirements Competences, awareness & training Plan, Implement, Monitor, Improve (Plan, Do, Check, Act) Planning and Implementing new or changed services Security Availability & Continuity Release es Release Service Delivery es Service Level Service Reporting Control es Configuration Change Resolution es Incident management Problem Capacity Budgeting & Accounting for IT Services Relationship es Business Relationship Supplier Slide 38 19

20 Current developments of ISO/IEC New SC7 project initiated in to revise ISO/IEC for: - Further alignment with other management system standards (ISO 9001, ISO/IEC 27001) - Harmonization with other SC7 standards and vocabulary - Addition of new part on scope and applicability (starting from an itsmf base document) Strong debate on how to achieve harmonization with other SC7 standards: - Rewrite of process definitions in part 1 to create a Reference Model (like and 15288) believed to be too radical - Necessity to maintain it as a System Standard not a Service processes standard - Agreement on the creation of a Service Reference Model as an additional document (part 4) - Agreement with WG 10 to create a Assessment Model as an additional part of ISO/IEC (part 8) Slide 39 Assessing IT Service es Putting ISO/IEC & ISO/IEC together 20

21 ISO/IEC for IT Service Guidance on Performing Assessments Guidance on Using Assessment Results Concepts and Vocabulary Performing an Assessment (normative) Organizational Maturity (normative) Compliant Reference Model (in ISO/IEC 12207) Compliant Reference Model (in ISO/IEC 15288) An Exemplar Assessment Model An Exemplar System Lifecycle Assessment Model An Exemplar Assessment Model for IT Service ISO/IEC IT Service System (Requirements) Compliant Reference Model (ISO/IEC ) Slide 41 Contribution from National Bodies and private industries Several Reference Models and Assessment Models developed worldwide were offered as contribution to the development of the new standards PRM/PAM for IT Services Austria-Germany (Nehfort IT-Consulting KEG) Finland (FISMA) Germany-Italy (DNV ITGS) Luxembourg (Centre Henri Tudor) South Africa (National Body) USA (IBM PRM-IT) Slide 42 21

22 ISO/IEC Reference Model PRIMARY processes Service Delivery Group SDE.1 Service Level SDE.2 Service Reporting SDE.3.1 Service Continuity SDE 3.2 Service Availability SDE.4 Budgeting and Accounting of IT services SDE.5 Capacity SDE.6 Information Security Control Group CON.1 Configuration CON.2 Change Resolution Group RES.1 Incident RES.2 Problem Relationship Group REL.1 Business Relationship REL.2 Supplier Release Group RLS.1 Release Berlin agreement May 2008 MANAGEMENT SYSTEM es Group MAN.1 System Establishment and Maintenance MAN.2 System Improvement MAN.3 Audit MAN.4 Human Resource MAN.5 Risk MAN.6 Documentation Planning and Implementing New or Changed Services PLA.1 Planning and Implementing New or Changed Services Service & Improvement Group PIM.1 Improvement PIM.2 Service Improvement Slide 43 ISO/IEC revision Information Technology Service Part 1: Specification/Requirements (normative) Part 2: Guidelines for implementation (of part 1) Part 3: Guidance for the scoping and applicability of ISO/IEC Part 4: Reference Model (*) Part 5: Incremental conformity based on ISO/IEC Slide 44 22

23 Plans for publications Part 1 - Currently WD 4 - going for CD registration and ballot in second semester Estimated time for publication 2010 Part 2 Currently WD 1 - Delayed until part 1 becomes more stable Part 3 (TR) Currently passed first CD ballot - based on ISO/IEC : will go for a DTR by end of the year - publication expected 2009 Part 4 (TR) Currently WD 1 - TR - based on ISO/IEC : Will circulate for PDTR ballot in second semester Publication expected late Revision within 3 years to align with revised part 1 ISO/IEC (PAM) will follow soon after (2010?) Slide 45 The future of the standard ISO/IEC Part 1 - Concepts and Vocabulary Part 2 - Performing an Assessment Part 3 - Guidance on performing an assessment Part 4 - Guidance on use for process improvement and process capability determination Part 5 - An exemplar Assessment Model (for sw life cycle) Part 6 - An exemplar System Life Cycle Assessment Model Part 7 - Assessment of Organizational Maturity Part 8 An Exemplar Assessment Model for IT Service (WD) Part 9 Target process profile (WD) NWIP (new work item proposal plenary 2008) The application of conformity assessment methodology to process capability and organizational maturity Slide 46 23

24 Conclusions The acronym remains the same SPICE = Software Improvement and Capability determination SPICE = System Improvement and Capability determination SPICE = Service Improvement and Capability determination Slide 47 COLLABORATION Slide 48 24

25 The SPICE Academy Modeled on the French and Swedish Academies. A body of learned persons whose established opinion is widely accepted as authoritative in the field. The Academy s overall objectives are to: - Promote the consistent implementation of the standard - Co-ordinate industry trials and/or benchmarking of the standard. - Promote the technology transfer of process assessment to the industry - Support an environment which encourages worldwide recognition of conformity assessment results - Provide model interpretations of process outcomes and indicators - Initiate and support sector and regional initiatives - Encourage, acknowledge and recognize advocates in the field - Establish various prizes and awards for (lifelong) achievement in the field - Define assessor competencies and maintain assessor training syllabi as the basis for use by assessor competency schemes Slide 49 SPICE Academy Slide 50 25

26 Thank you Slide 51 26